Analysis
-
max time kernel
95s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win10v2004-20220414-en
General
-
Target
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
-
Size
589KB
-
MD5
f04791f80ce74a9702ecda811fca7edf
-
SHA1
33e5c4fd1858bf56c91586ce72daa6029039e23d
-
SHA256
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a
-
SHA512
6fe47afdc7485b6ae7287070f66a0d3831a8cdc82b0a3c96281ad80a45d9c4361023d61cf2f382fda4d916f5c1681a3359e9a5567270af782bd26a2a08ab7974
Malware Config
Extracted
azorult
http://89.43.107.198/mpom/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 2628 ufzxfyzp.exe 2844 ufzxfyzp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 728 wrote to memory of 2628 728 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 80 PID 728 wrote to memory of 2628 728 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 80 PID 728 wrote to memory of 2628 728 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 80 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81 PID 2628 wrote to memory of 2844 2628 ufzxfyzp.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml3⤵
- Executes dropped EXE
PID:2844
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD5664dc99256a895e016c2a583aa186011
SHA1d543975302871a614057d02e12c3531698c0b706
SHA25667f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939
SHA51237799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39
-
Filesize
4KB
MD5d794073cea5c25016fc9e10d9d561d3b
SHA10a864adb3a08b19cbadb52f70281c1a48ef62a90
SHA256850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2
SHA512cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e